Google Groups Misconfiguration Exposes Corporate Data

Researchers say as many as 10,000 businesses are affected by a widespread misconfiguration in Google Groups settings.

A widespread Google Groups misconfiguration is causing businesses to leak corporate data. Administrators are urged to review their settings and check how many of their Google Groups mailing lists should be configured as public and indexed by Google.com.

Businesses using G Suite have access to Google Groups, a service integrated with corporate mailing lists that provides teams with discussion groups. Researchers at Kenna Security, along with KrebsOnSecurity, categorized thousands of businesses using public Google Groups to handle customer support and oftentimes exchange private enterprise information.

Admins can accidentally expose email list contents as a result of "complexity in terminology" and "organization-wide vs. group-specific permissions," Kenna researchers say. More than 9,600 institutions - including hospitals, universities, media companies, government agencies, and Fortune 500 organizations - have public Google Groups settings. Of these, researchers found 3,000 are currently leaking some form of sensitive email.

G Suite administrators can use Google Groups to create mailing lists for messages to specific people, researchers explain. Groups grow as more people are added, and the risk to businesses increases if those people can create public accounts on groups that are otherwise private. As a result, many businesses are unknowingly leaking data in their messaging lists, Krebs explains.

Google Groups are private by default, and settings can be adjusted on a domain and per-group basis. Many businesses have Groups visibility configured to "Public on the Internet." As a result, Google Groups can leak emails that should be private but are searchable on Google. This exposes passwords, financial data, and employee names, addresses, and email addresses.

It's not hard to pull this data, Krebs points out. In most cases, all you have to do is access an organization's public Google Groups page and enter the search terms of your choice: "password," "account," "HR," and "username" are all simple examples. Businesses commonly use Google Groups to store customer support emails, which often contain personal data.

But it's not just customer data at risk. Google Groups configured to Public can also leave corporate data and internal resources open to the Internet. Kenna's investigation unearthed real emails with GitHub credentials, password recovery, invoices, and suspension documents.

"Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse," Kenna reports.

The setting can be found by logging into https:// admins.google.com and searching "Groups Visibility." Unless your team requires some groups to be accessed by external users, Kenna recommends switching your domain-level Google Group settings to private. Researchers also advise checking individual group settings to determine they are properly configured.

If you want to know whether your data has been viewed by third parties, you can check the Google Groups feature that records the number of views for specific threats. It's worth noting that Kenna's investigation found this count is at zero for nearly all affected businesses, a sign that few, if any, users have used the interface - for either malicious or benign purposes.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...